Information Leak Through Cookies



Description

Cookies are used by web applications to store data in the browser. Cookies might be marked as persistent and stored for an extended period of time. An attacker might gain access to the drive that stores the cookies and recover sensitive data from them. The exact impact depends on the nature of the sensitive data in the cookies. This vulnerability applies to web applications that use cookies.

Impact

The exact impact of this vulnerability depends on the sensitive data stored in the cookies that the attacker has gained access to. Usually this is session data that keeps a user authenticated to an application. In that case, the attacker is able to impersonate the authenticated user. The ability to impersonate an authenticated user allows the attacker to carry out any actions that are available to that user within the application. That might be enough for the attacker, or they might use that access to leverage additional vulnerabilities for additional privileges.

Countermeasures

To prevent this vulnerability, don't store sensitive data in persistent cookies.

Don't store sensitive data in persistent cookies:

Application Check

To check for adequate protection against this vulnerability, find all code that stores cookies and ensure that sensitive data is not stored in persistent cookies.

Sensitive data is not stored in persistent cookies:

!Have a comment about this article? Send our team an email.